Skip Menu |

This queue is for tickets about the CGI-Application-Plugin-CAPTCHA CPAN distribution.

Report information
The Basics
Id: 30759
Status: new
Priority: 0/
Queue: CGI-Application-Plugin-CAPTCHA

Owner: Nobody in particular
Requestors: klinteberg [...]

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

Subject: not secure
Date: Thu, 15 Nov 2007 19:51:52 +0000
To: bug-cgi-application-plugin-captcha [...]
From: "Ludvig af Klinteberg" <klinteberg [...]>
Download (untitled) / with headers
text/plain 583b
I might be horribly wrong, but I really think that CGI::Application::Plugin::Captcha is unsafe. A malicious programmer creating an application to use the service can just have his application send along a cookie that he has created himself, and with that supply an appropriate verification string for his cookie. To avoid that you need to include som kind of hidden server-side password in the string being encrypted, and also include it when you verify. -- Ludvig af Klinteberg Show quoted text
_____________________ The Yacht Week Mob: +46702403562

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to